Either way, the KRACK in the WPA2 standard impacts every device and application that leverages Wi-Fi wireless networking technology – which means smartphones, tablets, notebooks, other computers, printers and other peripherals, routers and other networking equipment, TVs and entertainment gadgets, “smart” appliances, even automobiles – and all the communications and network traffic that passes between them. Exploiting this vulnerability, hackers might steal confidential information, redirect web page requests, inject computer viruses or other malware, hijack devices, or execute man-in-the-middle (MITM) and other cyberattacks.

A significant portion of WiFi traffic placed at risk by this latest computer security nightmare is web traffic, i.e. information exchanged between websites or apps and their visitors or users. Perhaps that is why Vanhoef used a Match.com session to demonstrate the KRACK in WPA2. In this video he successfully executes a protocol-downgrade MITM attack which exploits the KRACK vulnerability to defeat the website’s SSL/TLS/HTTPS security and gain access to sensitive data.

In this tweet, Microsoft computer security expert Troy Hunt observed that “Match.com was the perfect site to demonstrate the KRACK Attack on – 6 redirects with 5 insecure requests & no HSTS anywhere!” HSTS is short for “HTTP Strict Transport Security“, an HTTPS deployment policy which guards against protocol-downgrade attacks by allowing only secure HTTPS exchanges and denying all unsecure HTTP requests. Like many other sites “secured” by HTTPS, Match.com had not implemented HSTS prior to the embarassment of Vanhoef’s demonstration – but you better believe Match.com has HSTS now!

Have you deployed HTTPS without HSTS, or are you still using unsecure HTTP transport protocol? If so, then your website and its visitors are especially susceptible to an MITM attack exploiting the WPA2 KRACK vulnerability. Here are some Brewster County examples:

The encryption protection provided by HSTS is powerful, but it is not a cure-all for KRACK: You should also apply all KRACK-related hardware upgrades and software updates as quickly as your Wi-Fi technology vendors provide them. And adding HTTPS Everywhere to your web browser is a little thing that can go a long way towards protecting you. The takeaway is this: